bug 800882 - make about:certerror clear as to why overrides don't work on HSTS sites r=dao ui-r=phlsa

2024-09-13 09:24:08 -07:00 · 2014-08-26 11:31:34 -07:00 · 2014-08-26 11:31:34 -07:00 · 1a5baf7b2d
commit 1a5baf7b2d
parent f05c37ff89
2 changed files with 12 additions and 2 deletions
--- a/browser/base/content/aboutcerterror/aboutCertError.xhtml
+++ b/browser/base/content/aboutcerterror/aboutCertError.xhtml
@ -80,7 +80,8 @@
        };
        replaceWithHost(intro);

-        if (getCSSClass() == "expertBadCert") {
+        var cssClass = getCSSClass();
+        if (cssClass == "expertBadCert") {
          toggle('technicalContent');
          toggle('expertContent');
        }
@ -88,8 +89,12 @@
        // Disallow overrides if this is a Strict-Transport-Security
        // host and the cert is bad (STS Spec section 7.3) or if the
        // certerror is in a frame (bug 633691).
-        if (getCSSClass() == "badStsCert" || window != top)
+        if (cssClass == "badStsCert" || window != top) {
          document.getElementById("expertContent").setAttribute("hidden", "true");
+        }
+        if (cssClass != "badStsCert") {
+          document.getElementById("badStsCertExplanation").setAttribute("hidden", "true");
+        }

        var tech = document.getElementById("technicalContentText");
        if (tech)
@ -214,6 +219,7 @@
          <h2>&certerror.whatShouldIDo.heading;</h2>
          <div id="whatShouldIDoContentText">
            <p>&certerror.whatShouldIDo.content;</p>
+            <p id="badStsCertExplanation">&certerror.whatShouldIDo.badStsCertExplanation;</p>
            <button id='getMeOutOfHereButton'>&certerror.getMeOutOfHere.label;</button>
          </div>
        </div>
--- a/browser/locales/en-US/chrome/browser/aboutCertError.dtd
+++ b/browser/locales/en-US/chrome/browser/aboutCertError.dtd
@ -26,6 +26,10 @@ going to the right place. However, this site's identity can't be verified.">
 <!ENTITY certerror.whatShouldIDo.content "If you usually connect to
 this site without problems, this error could mean that someone is
 trying to impersonate the site, and you shouldn't continue.">
+<!ENTITY certerror.whatShouldIDo.badStsCertExplanation "This site uses HTTP
+Strict Transport Security (HSTS) to specify that &brandShortName; only connect
+to it securely. As a result, it is not possible to add an exception for this
+certificate.">
 <!ENTITY certerror.getMeOutOfHere.label "Get me out of here!">

 <!ENTITY certerror.expert.heading "I Understand the Risks">